[185883] in North American Network Operators' Group
RE: DNSSEC and ISPs faking DNS responses
daemon@ATHENA.MIT.EDU (Tony Finch)
Mon Nov 16 06:15:21 2015
X-Original-To: nanog@nanog.org
Date: Mon, 16 Nov 2015 11:14:42 +0000
From: Tony Finch <dot@dotat.at>
To: eric-list@truenet.com
In-Reply-To: <002801d11e3e$d8973990$89c5acb0$@truenet.com>
Cc: 'nanog list' <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
eric-list@truenet.com <eric-list@truenet.com> wrote:
> Actually, how are other places implementing these lists? I would have
> thought to use RPZ, but as far as I know if the blocked DNS domain is
> using DNSSEC it wouldn't work.
You can configure RPZ with the "break-dnssec" option which means
validating clients will fail to resolve the blocked domains.
DNSSEC only protects you from getting bad answers. If someone wants you to
get no answers at all then DNSSEC cannot help.
Tony.
--
f.anthony.n.finch <dot@dotat.at> http://dotat.at/
Tyne, Dogger, Fisher: Southwest 6 to gale 8, occasionally severe gale 9 at
first. Rough or very rough, becoming mainly moderate in Tyne. Rain or showers.
Good, occasionally poor.
